Manual for Pijul
# Signing patches

In any distributed system, it is important to be able to tell your
coauthors who you are in a secure way. One possible way to do this is
to *sign your patches*, which Pijul does using PGP keys.

If you choose to do so, others will expect your patches to be signed,
and will be able to reject attempts to impersonate you.

Signing patches doesn't prevent others from stealing your patches,
ripping off the patches' signatures and signing them as their own,
though.

After a keypair is generated, `pijul record` will automatically sign
all your patches.


## <a name="signing-patches"></a> Generating a secret key

Pijul can generate signing keys, either per repository (the keys are
then stored in the `.pijul` of that repository) or globally (in which
case the keys are stored in your home directory, in
`.pijulconfig`).

To generate a global signing key, run the following command in a
terminal:

```
pijul key gen --signing-id me@example.com
```

## <a name="signing-patches"></a> Uploading your public key to the Nest

For security reasons, the Nest will never offer you any interface to
upload your public key.

Instead, Pijul can be asked to convince the Nest (or actually any
other server) that you really own the secret key associated to your
public key. Once you have a secret key, this can be done by running
the following command in a terminal:

```
pijul key upload me@ssh.pijul.com
```

Internally, that command asks the Nest to generate a challenge string,
signs it, and replies with the signature. If the signature is correct,
the Nest will know the public key, and recognise it as yours.